Terms of Service

These Terms of Service ("Terms") govern your access to and use of the services, APIs, dashboards, and documentation (together, the "Service") provided by 0Day Labs ("0Day Labs", "we", "us", or "our"). By creating an account, calling our API, or otherwise using the Service, you agree to be bound by these Terms.

Acceptance & eligibility

By clicking "Create account", calling our API, or otherwise accessing the Service, you represent that (a) you are at least 18 years old or the age of majority in your jurisdiction, (b) you have the legal capacity and authority to enter into these Terms on behalf of yourself and, where applicable, the organization you identify at signup, and (c) your use of the Service will not violate any law or third-party right. If you do not agree to any part of these Terms, you must not use the Service.

The Service is a business-to-business offering. It is not intended for, and must not be used by, consumers acting outside a trade, business, craft, or profession.

Description of the Service

0Day Labs provides a developer-facing API for synthetic telemetry testing. In response to structured inputs from your automation, the API returns generated telemetry payloads intended to support legitimate frontend-validation, quality-assurance, compatibility, availability-monitoring, security-research, and authorized-automation workflows against destination websites you identify at onboarding (each a "Target Domain") and that you have the right to exercise.

The Service is a stateless request/response API. We do not operate crawlers, browsers, proxies, scrapers, or any client that connects to any Target Domain on your behalf, and we do not see, cache, or intermediate any response your automation later receives from a Target Domain. We do not represent that the output of the API will have, or will not have, any particular interaction with any third-party detection, monitoring, fraud-prevention, or bot-management system deployed on a Target Domain; customers are responsible for their own testing and for the legality of the use to which the output is put.

You are the operator of the automation that consumes our output. What happens between your automation and any Target Domain · including every HTTP request, every decision to send or withhold a request, every downstream data collection, and every contractual relationship with the Target Domain's operator · is yours and yours alone.

Accounts & onboarding

3.1 Account creation & manual review

Accounts are created through our signup flow and activated only after a human admin review. Submission of a signup does not create any entitlement to the Service. Until review concludes, your account is held in a pending state with no API access. Activation is granted only where, in our sole judgment, your identity, organization, intended use case, Target Domains, and volume estimates are consistent with these Terms and our Acceptable Use expectations.

We may refuse, delay, suspend, or terminate any account at our sole discretion, at any moment, and without prior notice · including where information provided at signup is incomplete, inaccurate, vague, inconsistent, or indicative of intended misuse; where we are unable to satisfy ourselves that your use is lawful and authorized; where your declared use case does not match our policies; or where we otherwise determine in good faith that activation would create unacceptable legal, regulatory, reputational, or operational risk. Rejections are at our sole discretion, final, and need not be reasoned. Where legally required, we will notify you of an admission decision through the email address on your signup; otherwise we may issue the decision without further communication.

To protect against automated abuse we apply rate limits and quality gates at the signup stage, including but not limited to per-IP signup limits, per-email-domain burst limits, and a disposable-email blocklist. Attempts to circumvent these gates (for example, cycling through IP addresses or email providers) are themselves grounds for refusal.

3.2 Information you provide

You must provide accurate, current, and complete information in the signup flow and keep that information current. The information we require includes, without limitation:

• your identity (name, email, optional role);
• your organization (name, company website, country of operation, and, where applicable, a business-registration number or equivalent);
• a description of your company and what it does;
• a specific description of your intended use case for the Service (generic descriptions such as "scraping" alone will be declined);
• the list of Target Domains you intend to exercise;
• your expected traffic volumes (per day and per month) and your expected peak concurrency;
• your launch timeline; and
• your express confirmations that (i) you are authorized to exercise the Target Domains listed and (ii) the information provided is accurate and complete.

Material misrepresentation · including understating volume, masking the identity of the real operator, misstating the nature of your use, listing Target Domains you are not authorized to exercise, or providing a use case description that does not match actual usage · is a material breach of these Terms and grounds for immediate termination, forfeiture of any prepaid balance, and referral to affected third parties or authorities where appropriate.

3.3 Target Domains & per-domain whitelist

The Target Domains you declare at signup are loaded into a per-customer whitelist in a pending state. Each Target Domain is reviewed and approved individually by our team before the Service will accept calls routed to that domain. Requests routed to domains that have not been individually approved may be rejected, flagged, or used as a signal that the account is operating outside its declared scope.

Adding additional Target Domains after onboarding requires submitting a further whitelist request, which we review on the same basis as signup. We may refuse to whitelist any domain for any reason, including concerns about the lawfulness, ethics, or authorization of your intended use against that domain.

3.4 Credentials

You are responsible for safeguarding your account password, session cookies, and API keys. API keys are bearer credentials: anyone in possession of a key can incur billable usage on your account. You must notify us without undue delay of any actual or suspected compromise, and you remain liable for all usage incurred before revocation is processed. We do not store plaintext API keys; a leaked key must be rotated.

Acceptable use

4.1 Permitted use cases

The Service is offered for lawful, business-to-business purposes that assume prior authorization on the Target Domain. Examples include, without limitation:

• synthetic monitoring, quality-assurance, and regression testing of websites and endpoints you own or operate;
• authorized compatibility, availability, or performance testing of websites you are engaged to test under contract (for example, as a vendor testing a customer's own property);
• security research conducted under a written authorization, bug-bounty programme, or responsible-disclosure framework published by the Target Domain operator;
• internal engineering, CI/CD, and load-testing workflows that generate synthetic telemetry to validate client-side instrumentation; and
• academic or industry research, conducted in compliance with applicable law, where the researcher has the necessary authorization.

You are responsible for determining, before you use the Service against any Target Domain, whether your specific use is lawful and authorized in every jurisdiction involved. Inclusion of a use case in the list above does not, by itself, establish that your particular application of that use case is lawful or authorized, and no text in these Terms should be read as an endorsement of any specific use against any specific Target Domain.

4.2 Restrictions

You agree that you will not, and will not permit any third party to:

• use the Service in violation of any applicable law, regulation, or court order, including without limitation the US Digital Millennium Copyright Act (including 17 U.S.C. § 1201 and equivalent anti-circumvention statutes in other jurisdictions), the US Computer Fraud and Abuse Act and equivalent computer-misuse and unauthorized-access laws, and laws governing data protection, sanctions, export control, consumer protection, trade secrets, intellectual property, or fraud;
• use the Service to circumvent, defeat, disable, or bypass any technological protection measure, access control, authentication mechanism, rate limit, paywall, digital-rights-management system, or other measure controlling access to, or copying of, a copyrighted work, protected system, or protected service;
• use the Service to access any system, account, data, or protected work without the authorization of the party entitled to grant it;
• use the Service to scrape, extract, or bulk-copy copyrighted content, personal data, or proprietary datasets from any Target Domain in a manner that exceeds the scope of any licence, consent, or lawful basis you hold;
• use the Service in a way that breaches the terms of service, acceptable-use policy, API terms, or robots directives of a Target Domain, where those terms have contractual or other legal effect against you;
• use the Service to commit, facilitate, or attempt fraud, identity theft, payment-card abuse, credential stuffing, account takeover, sybil-style account creation, unauthorized reselling of goods, unauthorized ticket acquisition, click-fraud, review manipulation, or any other dishonest, deceptive, or manipulative practice;
• use the Service to generate traffic that a reasonable operator of a Target Domain would characterize as a denial-of-service, degradation-of-service, or resource-exhaustion attack, whether distributed or not;
• use the Service to harvest personal data in violation of applicable data-protection law, or to process data relating to children, health, finances, political opinions, or other categories subject to heightened protection, without the required legal basis;
• use the Service to develop, train, or enrich any model, dataset, tool, or derivative service intended to provide anti-bot circumvention, fingerprint impersonation, detection-evasion, or similar functionality to third parties;
• resell, sublicense, rent, lease, time-share, or otherwise make the Service available to any third party other than your own end-users operating through your own product;
• reverse engineer, decompile, disassemble, or attempt to discover the source code or underlying ideas of the Service, except to the extent expressly permitted by law that cannot be excluded by contract;
• probe, scan, or test the vulnerability of our infrastructure, circumvent any authentication or rate-limiting control, interfere with another customer's usage, or use the Service to deliver malware;
• misrepresent your identity or the purpose of your use of the Service · to us, to any Target Domain operator, or to any regulator · or market any product that embeds output of the Service as being capable of evading, defeating, or remaining undetected by any specific third-party detection, monitoring, fraud-prevention, or bot-management system; or
• remove, obscure, or falsify any notice of authorship, trademark, or origin on any materials we provide.

4.3 Enforcement & discretionary termination

We actively monitor usage metadata · including the Target Domains being exercised, traffic volumes, concurrency patterns, API-key activity, and the consistency of actual use with the use case you declared at signup · for signals that an account is operating outside these Terms or outside the scope approved at onboarding.

We may suspend or terminate your access to the Service at any moment, with or without notice, and without refund, where we form a good-faith suspicion that:

• you are exercising, or attempting to exercise, a domain you are not authorized to exercise;
• your actual usage materially diverges from the use case, volume, concurrency, or Target Domain list you declared at signup;
• your use of the Service is, in our reasonable judgment, ethically or legally questionable, regardless of whether we can conclusively prove a specific violation;
• your account is implicated in fraud, credential abuse, unauthorized reselling, denial-of-service, or any other restricted activity described in §4.2;
• a credible complaint or takedown request has been received from a Target Domain operator, rights-holder, regulator, law-enforcement body, or court;
• your continued access creates material legal, regulatory, reputational, or operational risk to us, our infrastructure, our other customers, or any third party; or
• you have provided any inaccurate, misleading, or evasive information, whether at signup or thereafter.

The above list is illustrative, not exhaustive. Our right to suspend or terminate is at our sole discretion and is not conditional on a formal finding of breach. On termination, we may revoke every API key on your account, wipe your Target Domain whitelist, and cooperate with affected third parties and authorities.

Where we terminate on grounds of fraud, material misrepresentation, or a breach of §4.2, accrued fees remain payable and prepaid balances are forfeit to the fullest extent permitted by law. For terminations on other discretionary grounds (including good-faith ethical concern in the absence of a specific provable violation), accrued fees remain payable but we will refund the unused portion of any prepaid balance, less any reasonable processing or payment-processor fees incurred.

Nothing in this section requires us to detect or prevent misuse, and our failure to exercise any of the rights described here in a particular case is not a waiver of those rights in any other case.

4.4 Authorization evidence & complaint cooperation

On our request, you must promptly provide written evidence that you are authorized to exercise any Target Domain on your whitelist (for example, a contract, a permission letter, the relevant robots or terms-of-service text, or documentation of domain ownership). Failure to provide adequate evidence within the period we specify (not less than seven (7) days) is itself grounds for suspension of the affected domain or of your account.

If we receive a complaint, cease-and-desist, DMCA notification, or takedown request from a Target Domain operator, rights-holder, regulator, or court that implicates your use of the Service, we may, at our sole discretion and without prior notice: (a) suspend the affected Target Domain on your whitelist, (b) suspend your account pending investigation, (c) disclose information reasonably necessary to the complainant or the relevant authority, and (d) cooperate with any lawful process. You agree to cooperate in good faith with any resulting investigation, including by providing, within a reasonable time, evidence of your authorization to operate against the affected Target Domain. Where we suspend pending investigation and the complaint is subsequently withdrawn or found to be unsupported, we will restore access as soon as reasonably practicable.

We do not hold ourselves out as able to help you obtain the authorizations described in §4.1 or §3.3. On request, we may provide generic template language you may use to seek authorization from a Target Domain operator, but we make no representation that any such template is sufficient for any specific situation, and any use of a template is at your sole risk.

4.5 No evasion or undetectability representations

We make no representation, warranty, or commitment that the Service, or any output of it, will evade, defeat, bypass, remain undetected by, interoperate with, or produce any particular result against any named or unnamed third-party detection, monitoring, fingerprinting, fraud-prevention, or bot-management system. The Service is not marketed, sold, or documented as a tool for any such purpose. You agree that you will not describe the Service to any third party, nor market any product incorporating output of the Service, as being capable of achieving any such result. Any statement, benchmark, customer testimonial, or third-party comparison that appears outside these Terms is provided for illustrative purposes only, is not incorporated into these Terms, and does not create any warranty or commitment on our part.

Fees, billing & taxes

The Service is priced on a pay-per-successful-payload basis at the rate displayed in your console at the time of the call, subject to any individually negotiated arrangement. Fees accrue per successful payload generation. We may change published pricing on at least fourteen (14) days' notice, effective prospectively.

You are responsible for all taxes, duties, withholdings, and similar governmental charges arising from your use of the Service other than taxes imposed on our net income. Where we are required to collect indirect tax (including VAT or equivalent), you agree to provide accurate tax-status information and you remain liable for any shortfall arising from misstatement.

Invoiced amounts are due on issue unless stated otherwise. Overdue balances accrue interest at the lesser of 1.5% per month and the maximum rate permitted by applicable law. Prepaid balances are non-refundable except where required by law or by our Refund Policy.

Paddle (Paddle.com Market Ltd, Malta, and its affiliates) acts as our Merchant of Record for Service transactions. Paddle collects, processes, and (where applicable) remits indirect taxes including VAT and sales tax on the transactions it settles. Paddle's own terms and privacy policy govern the payment transaction itself; disputes over payment-method handling, tax assessment, or refund processing mechanics are administered through Paddle. Nothing in this section shifts responsibility for the fees themselves, which remain between you and 0Day Labs.

Intellectual property

The Service, including its APIs, dashboards, documentation, source code, models, algorithms, telemetry-generation logic, and the look and feel of any of the foregoing, is owned by 0Day Labs and its licensors and is protected by copyright, trademark, trade secret, and other intellectual-property laws. Subject to your compliance with these Terms, we grant you a limited, non-exclusive, non-transferable, non-sublicensable, revocable licence to access and use the Service solely for the purpose contemplated by these Terms and solely during the term of your account. No other rights are granted.

The output of the Service (a "Payload") is licensed to you on the same basis as the Service itself for one-time submission to the Target Domain against which it was generated. We retain all rights we have in the processes, know-how, and models used to produce the Payload. Aggregated or de-identified usage data derived from your calls may be retained and used by us for the purpose of improving the Service.

Privacy & data handling

Our handling of personal data is described in the Privacy Policy, which forms part of these Terms. You must not transmit personal data to us through the Service except for fields the Service is documented to accept, and you must have a lawful basis for any such transmission.

Confidentiality

Non-public information disclosed by either party in connection with the Service ("Confidential Information") must be protected with at least the same degree of care that the receiving party applies to its own confidential information of like importance, and no less than a reasonable degree of care. Confidential Information may be used only to exercise rights and perform obligations under these Terms and may be disclosed only to personnel and professional advisors bound by equivalent obligations. This section survives termination for three (3) years, except that trade secrets are protected for so long as they qualify as such under applicable law.

Warranty disclaimer

Except as expressly stated in these Terms, the Service is provided on an "as is" and "as available" basis. To the maximum extent permitted by applicable law, 0Day Labs disclaims all warranties, express or implied, including without limitation implied warranties of merchantability, fitness for a particular purpose, title, non-infringement, accuracy, completeness, uninterrupted operation, error-free operation, any particular level of availability or performance, and any particular interaction or non-interaction between the output of the Service and any third-party system, product, or service. No oral or written information or advice given by us or our representatives creates any warranty not expressly stated in these Terms.

Limitation of liability

To the maximum extent permitted by applicable law, in no event will 0Day Labs, its affiliates, or its personnel be liable under or in connection with these Terms or the Service, whether in contract, tort (including negligence), statute, or otherwise, for (a) any indirect, incidental, special, consequential, exemplary, or punitive damages, (b) any loss of profit, revenue, business, goodwill, opportunity, reputation, anticipated savings, or data, or (c) any cost of procurement of substitute goods or services, in each case however caused and whether or not we have been advised of the possibility of such damages. Our aggregate liability under or in connection with these Terms, whether in contract, tort (including negligence), statute, or otherwise, will not exceed the greater of (i) the fees you actually paid to us for the Service in the three (3) months immediately preceding the event giving rise to the liability, and (ii) one hundred euro (€100).

Nothing in these Terms excludes or limits either party's liability for fraud, fraudulent misrepresentation, death or personal injury caused by negligence, or any other liability that cannot be excluded or limited as a matter of applicable law.

Indemnity

You will defend, indemnify, and hold harmless 0Day Labs, its affiliates, and its personnel from and against any claim, demand, suit, or proceeding brought against any of them by a third party (including any Target Domain, any regulator, and any data subject), and any resulting loss, damage, liability, fine, cost, or expense (including reasonable legal fees), to the extent arising out of or related to (a) your use of the Service, (b) your breach of these Terms or of any law, regulation, or third-party right, (c) the activities conducted by, or on behalf of, the automation that consumes Payloads, or (d) any content, instruction, or Target Domain you submit to the Service.

Suspension & termination

We may suspend or terminate your access to the Service, in whole or in part, at any time, with or without notice, where (a) you have breached these Terms, (b) we are required to do so by applicable law or by a competent authority, (c) continued provision of the Service to you creates a material risk to us, to another customer, or to a third party, or (d) you become insolvent, enter liquidation, or are the subject of an analogous procedure. You may terminate your account at any time by contacting us.

On termination for any reason, your right to use the Service ends immediately, accrued fees become due, and Sections that by their nature should survive · including fees, intellectual property, warranty disclaimer, limitation of liability, indemnity, confidentiality, and governing-law/dispute-resolution · survive.

Changes to these Terms

We may modify these Terms from time to time. Where a change is material, we will give reasonable notice by email to the address on your account and by publishing the revised Terms in your console. Continued use of the Service after the effective date of a change constitutes acceptance of the revised Terms. If you do not accept a change, your sole remedy is to terminate your account before the change takes effect.

Governing law & disputes

These Terms, and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with them, their subject matter, or their formation, are governed by, and will be construed in accordance with, the law notified to you at onboarding or, absent such notice, the law of the jurisdiction in which 0Day Labs is established from time to time, excluding its conflict-of-laws rules. Each party irrevocably submits to the exclusive jurisdiction of the competent courts of that jurisdiction for the resolution of any such dispute, save that we may bring proceedings for injunctive or equivalent relief in any court of competent jurisdiction.

The United Nations Convention on Contracts for the International Sale of Goods does not apply to these Terms.

General

Entire agreement. These Terms, together with the Privacy Policy and any order documentation expressly incorporated herein, constitute the entire agreement between the parties with respect to the Service and supersede all prior or contemporaneous understandings.

Severability. If any provision of these Terms is held unenforceable, that provision will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will remain in full force.

No waiver. A party's failure to enforce any right or provision is not a waiver of future enforcement of that or any other right or provision.

Assignment. You may not assign or transfer these Terms, by operation of law or otherwise, without our prior written consent. We may assign these Terms freely, including in connection with a merger, acquisition, or sale of all or substantially all of our assets.

Force majeure. Neither party is liable for any delay or failure to perform caused by events beyond its reasonable control, including acts of God, war, terrorism, civil unrest, cyberattack, labor dispute, supplier failure, or governmental order.

Notices. Notices to you may be given through the email address on your account or in your console. Notices to us must be given through the contact channel published on our website.

No agency. The parties are independent contractors. Nothing in these Terms creates any agency, partnership, joint venture, fiduciary, or employment relationship.